Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / reclass-system / dd785b10e06d7ee15d77799ada4d5f9c411c434f / . / defaults / openstack / policy / all.yml
blob: 39d7c4079e0c8924b77b78985320e19f2013e50e [file] [log] [blame]
Ivan Berezovskiy30d60742020-01-16 16:47:02 +0400[diff] [blame]1parameters:
2 _param:
3 barbican_default_policy_ocata: {}
4 barbican_default_policy_pike:
5 "admin": "role:admin"
6 "admin_or_creator": "rule:admin or rule:creator"
7 "admin_or_user": "rule:admin or project_id:%(project_id)s"
8 "admin_or_user_does_not_work": "project_id:%(project_id)s"
9 "all_but_audit": "rule:admin or rule:observer or rule:creator"
10 "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"
11 "audit": "role:audit"
12 "certificate_authorities:get_all": "rule:admin"
13 "certificate_authorities:get_global_preferred_ca": "rule:service_admin"
14 "certificate_authorities:get_limited": "rule:all_users"
15 "certificate_authorities:get_preferred_ca": "rule:all_users"
16 "certificate_authorities:post": "rule:admin"
17 "certificate_authorities:unset_global_preferred": "rule:service_admin"
18 "certificate_authority:add_to_project": "rule:admin"
19 "certificate_authority:delete": "rule:admin"
20 "certificate_authority:get": "rule:all_users"
21 "certificate_authority:get_ca_cert_chain": "rule:all_users"
22 "certificate_authority:get_cacert": "rule:all_users"
23 "certificate_authority:get_projects": "rule:service_admin"
24 "certificate_authority:remove_from_project": "rule:admin"
25 "certificate_authority:set_global_preferred": "rule:service_admin"
26 "certificate_authority:set_preferred": "rule:admin"
27 "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
28 "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
29 "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
30 "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
31 "container:delete": "rule:container_project_admin or rule:container_project_creator"
32 "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
33 "container_acl_read": "'read':%(target.container.read)s"
34 "container_acls:delete": "rule:container_project_admin or rule:container_project_creator"
35 "container_acls:get": "rule:all_but_audit and rule:container_project_match"
36 "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator"
37 "container_creator_user": "user:%(target.container.creator_id)s"
38 "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"
39 "container_private_read": "'False':%(target.container.read_project_access)s"
40 "container_project_admin": "rule:admin and rule:container_project_match"
41 "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"
42 "container_project_match": "project:%(target.container.project_id)s"
43 "container_secret:delete": "rule:admin"
44 "container_secret:post": "rule:admin"
45 "containers:get": "rule:all_but_audit"
46 "containers:post": "rule:admin_or_creator"
47 "creator": "role:creator"
48 "observer": "role:observer"
49 "order:delete": "rule:admin"
50 "order:get": "rule:all_users"
51 "order:put": "rule:admin_or_creator"
52 "orders:get": "rule:all_but_audit"
53 "orders:post": "rule:admin_or_creator"
54 "project_quotas:delete": "rule:service_admin"
55 "project_quotas:get": "rule:service_admin"
56 "project_quotas:put": "rule:service_admin"
57 "quotas:get": "rule:all_users"
58 "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
59 "secret:delete": "rule:secret_project_admin or rule:secret_project_creator"
60 "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
61 "secret:put": "rule:admin_or_creator and rule:secret_project_match"
62 "secret_acl_read": "'read':%(target.secret.read)s"
63 "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator"
64 "secret_acls:get": "rule:all_but_audit and rule:secret_project_match"
65 "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator"
66 "secret_creator_user": "user:%(target.secret.creator_id)s"
67 "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"
68 "secret_meta:delete": "rule:admin_or_creator"
69 "secret_meta:get": "rule:all_but_audit"
70 "secret_meta:post": "rule:admin_or_creator"
71 "secret_meta:put": "rule:admin_or_creator"
72 "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"
73 "secret_private_read": "'False':%(target.secret.read_project_access)s"
74 "secret_project_admin": "rule:admin and rule:secret_project_match"
75 "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"
76 "secret_project_match": "project:%(target.secret.project_id)s"
77 "secrets:get": "rule:all_but_audit"
78 "secrets:post": "rule:admin_or_creator"
79 "secretstore:get": "rule:admin"
80 "secretstore_preferred:delete": "rule:admin"
81 "secretstore_preferred:post": "rule:admin"
82 "secretstores:get": "rule:admin"
83 "secretstores:get_global_default": "rule:admin"
84 "secretstores:get_preferred": "rule:admin"
85 "service_admin": "role:key-manager:service-admin"
86 "transport_key:delete": "rule:admin"
87 "transport_key:get": "rule:all_users"
88 "transport_keys:get": "rule:all_users"
89 "transport_keys:post": "rule:admin"
90 "version:get": "@"
91 barbican_default_policy_queens: ${_param:barbican_default_policy_pike}
92 bgppvn_default_policy_ocata: {}
93 bgppvn_default_policy_pike:
94 "create_bgpvpn": "rule:admin_only"
95 "create_bgpvpn_network_association": "rule:admin_or_owner"
96 "create_bgpvpn_port_association": "rule:admin_or_owner"
97 "create_bgpvpn_router_association": "rule:admin_or_owner"
98 "delete_bgpvpn": "rule:admin_only"
99 "delete_bgpvpn_network_association": "rule:admin_or_owner"
100 "delete_bgpvpn_port_association": "rule:admin_or_owner"
101 "delete_bgpvpn_router_association": "rule:admin_or_owner"
102 "get_bgpvpn": "rule:admin_or_owner"
103 "get_bgpvpn:export_targets": "rule:admin_only"
104 "get_bgpvpn:import_targets": "rule:admin_only"
105 "get_bgpvpn:route_distinguishers": "rule:admin_only"
106 "get_bgpvpn:route_targets": "rule:admin_only"
107 "get_bgpvpn:tenant_id": "rule:admin_only"
108 "get_bgpvpn_network_association": "rule:admin_or_owner"
109 "get_bgpvpn_network_association:tenant_id": "rule:admin_only"
110 "get_bgpvpn_network_associations": "rule:admin_or_owner"
111 "get_bgpvpn_port_association": "rule:admin_or_owner"
112 "get_bgpvpn_port_association:tenant_id": "rule:admin_only"
113 "get_bgpvpn_port_associations": "rule:admin_or_owner"
114 "get_bgpvpn_router_association": "rule:admin_or_owner"
115 "get_bgpvpn_router_association:tenant_id": "rule:admin_only"
116 "get_bgpvpn_router_associations": "rule:admin_or_owner"
117 "update_bgpvpn": "rule:admin_or_owner"
118 "update_bgpvpn:export_targets": "rule:admin_only"
119 "update_bgpvpn:import_targets": "rule:admin_only"
120 "update_bgpvpn:route_distinguishers": "rule:admin_only"
121 "update_bgpvpn:route_targets": "rule:admin_only"
122 "update_bgpvpn:tenant_id": "rule:admin_only"
123 "update_bgpvpn_network_association": "rule:admin_or_owner"
124 "update_bgpvpn_port_association": "rule:admin_or_owner"
125 "update_bgpvpn_router_association": "rule:admin_or_owner"
126 bgpvpn_default_policy_queens: ${_param:bgppvn_default_policy_pike}
127 cinder_default_policy_ocata: {}
128 cinder_default_policy_pike:
129 "admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
130 "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
131 "backup:backup-export": "rule:admin_api"
132 "backup:backup-import": "rule:admin_api"
133 "backup:backup_project_attribute": "rule:admin_api"
134 "backup:create": ""
135 "backup:delete": "rule:admin_or_owner"
136 "backup:get_all": "rule:admin_or_owner"
137 "backup:get": "rule:admin_or_owner"
138 "backup:restore": "rule:admin_or_owner"
139 "backup:update": "rule:admin_or_owner"
140 "clusters:get_all": "rule:admin_api"
141 "clusters:get": "rule:admin_api"
142 "clusters:update": "rule:admin_api"
143 "consistencygroup:create_cgsnapshot": "group:nobody"
144 "consistencygroup:create": "group:nobody"
145 "consistencygroup:delete_cgsnapshot": "group:nobody"
146 "consistencygroup:delete": "group:nobody"
147 "consistencygroup:get_all_cgsnapshots": "group:nobody"
148 "consistencygroup:get_all": "group:nobody"
149 "consistencygroup:get_cgsnapshot": "group:nobody"
150 "consistencygroup:get": "group:nobody"
151 "consistencygroup:update": "group:nobody"
152 "default": "rule:admin_or_owner"
153 "group:access_group_types_specs": "rule:admin_api"
154 "group:create": ""
155 "group:create_group_snapshot": ""
156 "group:delete_group_snapshot": "rule:admin_or_owner"
157 "group:delete": "rule:admin_or_owner"
158 "group:disable_replication": "rule:admin_or_owner"
159 "group:enable_replication": "rule:admin_or_owner"
160 "group:failover_replication": "rule:admin_or_owner"
161 "group:get_all_group_snapshots": "rule:admin_or_owner"
162 "group:get_all": "rule:admin_or_owner"
163 "group:get_group_snapshot": "rule:admin_or_owner"
164 "group:get": "rule:admin_or_owner"
165 "group:group_type_access": "rule:admin_or_owner"
166 "group:group_types_manage": "rule:admin_api"
167 "group:group_types_specs": "rule:admin_api"
168 "group:list_replication_targets": "rule:admin_or_owner"
169 "group:reset_group_snapshot_status": "rule:admin_api"
170 "group:reset_status": "rule:admin_api"
171 "group:update_group_snapshot": "rule:admin_or_owner"
172 "group:update": "rule:admin_or_owner"
173 "message:delete": "rule:admin_or_owner"
174 "message:get_all": "rule:admin_or_owner"
175 "message:get": "rule:admin_or_owner"
176 "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
177 "snapshot_extension:list_manageable": "rule:admin_api"
178 "snapshot_extension:snapshot_actions:update_snapshot_status": ""
179 "snapshot_extension:snapshot_manage": "rule:admin_api"
180 "snapshot_extension:snapshot_unmanage": "rule:admin_api"
181 "volume:accept_transfer": ""
182 "volume:attachment_create": ""
183 "volume:attachment_delete": "rule:admin_or_owner"
184 "volume:attachment_update": "rule:admin_or_owner"
185 "volume:create": ""
186 "volume:create_from_image": ""
187 "volume:create_snapshot": "rule:admin_or_owner"
188 "volume:create_transfer": "rule:admin_or_owner"
189 "volume:create_volume_metadata": "rule:admin_or_owner"
190 "volume:delete": "rule:admin_or_owner"
191 "volume:delete_snapshot_metadata": "rule:admin_or_owner"
192 "volume:delete_snapshot": "rule:admin_or_owner"
193 "volume:delete_transfer": "rule:admin_or_owner"
194 "volume:delete_volume_metadata": "rule:admin_or_owner"
195 "volume:extend_attached_volume": "rule:admin_or_owner"
196 "volume:extend": "rule:admin_or_owner"
197 "volume_extension:access_types_extra_specs": "rule:admin_api"
198 "volume_extension:access_types_qos_specs_id": "rule:admin_api"
199 "volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
200 "volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
201 "volume_extension:capabilities": "rule:admin_api"
202 "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
203 "volume_extension:hosts": "rule:admin_api"
204 "volume_extension:list_manageable": "rule:admin_api"
205 "volume_extension:qos_specs_manage:create": "rule:admin_api"
206 "volume_extension:qos_specs_manage:delete": "rule:admin_api"
207 "volume_extension:qos_specs_manage:get_all": "rule:admin_api"
208 "volume_extension:qos_specs_manage:get": "rule:admin_api"
209 "volume_extension:qos_specs_manage:update": "rule:admin_api"
210 "volume_extension:quota_classes": "rule:admin_api"
211 "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
212 "volume_extension:quotas:delete": "rule:admin_api"
213 "volume_extension:quotas:show": ""
214 "volume_extension:quotas:update": "rule:admin_api"
215 "volume_extension:services:index": "rule:admin_api"
216 "volume_extension:services:update": "rule:admin_api"
217 "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
218 "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
219 "volume_extension:types_extra_specs:create": "rule:admin_api"
220 "volume_extension:types_extra_specs:delete": "rule:admin_api"
221 "volume_extension:types_extra_specs:index": "rule:admin_api"
222 "volume_extension:types_extra_specs:show": "rule:admin_api"
223 "volume_extension:types_extra_specs:update": "rule:admin_api"
224 "volume_extension:types_manage": "rule:admin_api"
225 "volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
226 "volume_extension:volume_actions:upload_public": "rule:admin_api"
227 "volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
228 "volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
229 "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
230 "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
231 "volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
232 "volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
233 "volume_extension:volume_host_attribute": "rule:admin_api"
234 "volume_extension:volume_image_metadata": "rule:admin_or_owner"
235 "volume_extension:volume_manage": "rule:admin_api"
236 "volume_extension:volume_mig_status_attribute": "rule:admin_api"
237 "volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
238 "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
239 "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
240 "volume_extension:volume_type_access": "rule:admin_or_owner"
241 "volume_extension:volume_type_encryption": "rule:admin_api"
242 "volume_extension:volume_unmanage": "rule:admin_api"
243 "volume:failover_host": "rule:admin_api"
244 "volume:force_delete": "rule:admin_api"
245 "volume:freeze_host": "rule:admin_api"
246 "volume:get_all": "rule:admin_or_owner"
247 "volume:get_all_snapshots": "rule:admin_or_owner"
248 "volume:get_all_transfers": "rule:admin_or_owner"
249 "volume:get": "rule:admin_or_owner"
250 "volume:get_snapshot_metadata": "rule:admin_or_owner"
251 "volume:get_snapshot": "rule:admin_or_owner"
252 "volume:get_transfer": "rule:admin_or_owner"
253 "volume:get_volume_admin_metadata": "rule:admin_api"
254 "volume:get_volume_metadata": "rule:admin_or_owner"
255 "volume:retype": "rule:admin_or_owner"
256 "volume:revert_to_snapshot": "rule:admin_or_owner"
257 "volume:thaw_host": "rule:admin_api"
258 "volume:update_readonly_flag": "rule:admin_or_owner"
259 "volume:update": "rule:admin_or_owner"
260 "volume:update_snapshot_metadata": "rule:admin_or_owner"
261 "volume:update_snapshot": "rule:admin_or_owner"
262 "volume:update_volume_admin_metadata": "rule:admin_api"
263 "volume:update_volume_metadata": "rule:admin_or_owner"
264 "workers:cleanup": "rule:admin_api"
265 cinder_default_policy_queens: ${_param:cinder_default_policy_pike}
266 designate_default_policy_ocata: {}
267 designate_default_policy_pike: &designate_default_policy_pike
268 "abandon_zone": "rule:admin"
269 "admin": "role:admin or is_admin:True"
270 "admin_or_owner": "rule:admin or rule:owner"
271 "admin_or_owner_or_target": "rule:owner_or_target or rule:admin"
272 "admin_or_target": "rule:admin or rule:target"
273 "all_tenants": "rule:admin"
274 "count_records": "rule:admin_or_owner"
275 "count_recordset": "rule:admin_or_owner"
276 "count_tenants": "rule:admin"
277 "count_zones": "rule:admin_or_owner"
278 "count_zones_pending_notify": "rule:admin_or_owner"
279 "create_blacklist": "rule:admin"
280 "create_pool": "rule:admin"
281 "create_record": "rule:admin_or_owner"
282 "create_recordset": "rule:zone_primary_or_admin"
283 "create_tld": "rule:admin"
284 "create_tsigkey": "rule:admin"
285 "create_zone": "rule:admin_or_owner"
286 "create_zone_export": "rule:admin_or_owner"
287 "create_zone_import": "rule:admin_or_owner"
288 "create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
289 "create_zone_transfer_request": "rule:admin_or_owner"
290 "default": "rule:admin_or_owner"
291 "delete_blacklist": "rule:admin"
292 "delete_pool": "rule:admin"
293 "delete_record": "rule:admin_or_owner"
294 "delete_recordset": "rule:zone_primary_or_admin"
295 "delete_tld": "rule:admin"
296 "delete_tsigkey": "rule:admin"
297 "delete_zone": "rule:admin_or_owner"
298 "delete_zone_import": "rule:admin_or_owner"
299 "delete_zone_transfer_accept": "rule:admin"
300 "delete_zone_transfer_request": "rule:admin_or_owner"
301 "diagnostics_ping": "rule:admin"
302 "diagnostics_sync_record": "rule:admin"
303 "diagnostics_sync_zone": "rule:admin"
304 "diagnostics_sync_zones": "rule:admin"
305 "edit_managed_records": "rule:admin"
306 "find_blacklist": "rule:admin"
307 "find_blacklists": "rule:admin"
308 "find_pool": "rule:admin"
309 "find_pools": "rule:admin"
310 "find_record": "rule:admin_or_owner"
311 "find_records": "rule:admin_or_owner"
312 "find_recordset": "rule:admin_or_owner"
313 "find_recordsets": "rule:admin_or_owner"
314 "find_service_status": "rule:admin"
315 "find_service_statuses": "rule:admin"
316 "find_tenants": "rule:admin"
317 "find_tlds": "rule:admin"
318 "find_tsigkeys": "rule:admin"
319 "find_zone": "rule:admin_or_owner"
320 "find_zone_exports": "rule:admin_or_owner"
321 "find_zone_imports": "rule:admin_or_owner"
322 "find_zone_transfer_accept": "rule:admin"
323 "find_zone_transfer_accepts": "rule:admin"
324 "find_zone_transfer_request": "@"
325 "find_zone_transfer_requests": "@"
326 "find_zones": "rule:admin_or_owner"
327 "get_blacklist": "rule:admin"
328 "get_pool": "rule:admin"
329 "get_quota": "rule:admin_or_owner"
330 "get_quotas": "rule:admin_or_owner"
331 "get_record": "rule:admin_or_owner"
332 "get_records": "rule:admin_or_owner"
333 "get_recordset": "rule:admin_or_owner"
334 "get_recordsets": "rule:admin_or_owner"
335 "get_tenant": "rule:admin"
336 "get_tld": "rule:admin"
337 "get_tsigkey": "rule:admin"
338 "get_zone": "rule:admin_or_owner"
339 "get_zone_export": "rule:admin_or_owner"
340 "get_zone_import": "rule:admin_or_owner"
341 "get_zone_servers": "rule:admin_or_owner"
342 "get_zone_transfer_accept": "rule:admin_or_owner"
343 "get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
344 "get_zone_transfer_request_detailed": "rule:admin_or_owner"
345 "get_zones": "rule:admin_or_owner"
346 "owner": "tenant:%(tenant_id)s"
347 "owner_or_target": "rule:target or rule:owner"
348 "primary_zone": "target.zone_type:SECONDARY"
349 "purge_zones": "rule:admin"
350 "reset_quotas": "rule:admin"
351 "set_quota": "rule:admin"
352 "target": "tenant:%(target_tenant_id)s"
353 "touch_zone": "rule:admin_or_owner"
354 "update_blacklist": "rule:admin"
355 "update_pool": "rule:admin"
356 "update_record": "rule:admin_or_owner"
357 "update_recordset": "rule:zone_primary_or_admin"
358 "update_service_service_status": "rule:admin"
359 "update_tld": "rule:admin"
360 "update_tsigkey": "rule:admin"
361 "update_zone": "rule:admin_or_owner"
362 "update_zone_export": "rule:admin_or_owner"
363 "update_zone_import": "rule:admin_or_owner"
364 "update_zone_transfer_accept": "rule:admin"
365 "update_zone_transfer_request": "rule:admin_or_owner"
366 "use_blacklisted_zone": "rule:admin"
367 "use_low_ttl": "rule:admin"
368 "use_sudo": "rule:admin"
369 "xfr_zone": "rule:admin_or_owner"
370 "zone_create_forced_pool": "rule:admin"
371 "zone_export": "rule:admin_or_owner"
372 "zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
373 designate_default_policy_queens:
374 << : *designate_default_policy_pike
375 "create_record":
376 "create_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
377 "create_zone_transfer_accept": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
378 "delete_record":
379 "delete_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
380 "find_record":
381 "find_records": "rule:admin_or_owner"
382 "find_recordset":
383 "find_recordsets":
384 "find_zone":
385 "get_record":
386 "get_records":
387 "get_zone_transfer_request": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
388 "update_record":
389 "update_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
390 "update_service_status": "rule:admin"
391 "update_service_service_status":
392 glance_default_policy_ocata: {}
393 glance_default_policy_pike:
394 "add_image": ""
395 "add_member": ""
396 "add_metadef_namespace": ""
397 "add_metadef_object": ""
398 "add_metadef_property": ""
399 "add_metadef_resource_type_association": ""
400 "add_metadef_tag": ""
401 "add_metadef_tags": ""
402 "add_task": ""
403 "communitize_image": ""
404 "context_is_admin": "role:admin"
405 "copy_from": ""
406 "deactivate": ""
407 "default": "role:admin"
408 "delete_image": ""
409 "delete_image_location": ""
410 "delete_member": ""
411 "download_image": ""
412 "get_image": ""
413 "get_image_location": ""
414 "get_images": ""
415 "get_member": ""
416 "get_members": ""
417 "get_metadef_namespace": ""
418 "get_metadef_namespaces": ""
419 "get_metadef_object": ""
420 "get_metadef_objects": ""
421 "get_metadef_properties": ""
422 "get_metadef_property": ""
423 "get_metadef_resource_type": ""
424 "get_metadef_tag": ""
425 "get_metadef_tags": ""
426 "get_task": ""
427 "get_tasks": ""
428 "list_metadef_resource_types": ""
429 "manage_image_cache": "role:admin"
430 "modify_image": ""
431 "modify_member": ""
432 "modify_metadef_namespace": ""
433 "modify_metadef_object": ""
434 "modify_metadef_property": ""
435 "modify_metadef_tag": ""
436 "modify_task": ""
437 "publicize_image": "role:admin"
438 "reactivate": ""
439 "set_image_location": ""
440 "tasks_api_access": "role:admin"
441 "upload_image": ""
442 glance_default_policy_queens: ${_param:glance_default_policy_pike}
443 heat_default_policy_ocata: {}
444 heat_default_policy_pike:
445 "actions:action": "rule:deny_stack_user"
446 "build_info:build_info": "rule:deny_stack_user"
447 "cloudformation:CancelUpdateStack": "rule:deny_stack_user"
448 "cloudformation:CreateStack": "rule:deny_stack_user"
449 "cloudformation:DeleteStack": "rule:deny_stack_user"
450 "cloudformation:DescribeStackEvents": "rule:deny_stack_user"
451 "cloudformation:DescribeStackResource": ""
452 "cloudformation:DescribeStackResources": "rule:deny_stack_user"
453 "cloudformation:DescribeStacks": "rule:deny_stack_user"
454 "cloudformation:EstimateTemplateCost": "rule:deny_stack_user"
455 "cloudformation:GetTemplate": "rule:deny_stack_user"
456 "cloudformation:ListStackResources": "rule:deny_stack_user"
457 "cloudformation:ListStacks": "rule:deny_stack_user"
458 "cloudformation:UpdateStack": "rule:deny_stack_user"
459 "cloudformation:ValidateTemplate": "rule:deny_stack_user"
460 "cloudwatch:DeleteAlarms": "rule:deny_stack_user"
461 "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user"
462 "cloudwatch:DescribeAlarms": "rule:deny_stack_user"
463 "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user"
464 "cloudwatch:DisableAlarmActions": "rule:deny_stack_user"
465 "cloudwatch:EnableAlarmActions": "rule:deny_stack_user"
466 "cloudwatch:GetMetricStatistics": "rule:deny_stack_user"
467 "cloudwatch:ListMetrics": "rule:deny_stack_user"
468 "cloudwatch:PutMetricAlarm": "rule:deny_stack_user"
469 "cloudwatch:PutMetricData": ""
470 "cloudwatch:SetAlarmState": "rule:deny_stack_user"
471 "context_is_admin": "role:admin and is_admin_project:True"
472 "deny_everybody": "!"
473 "deny_stack_user": "not role:heat_stack_user"
474 "events:index": "rule:deny_stack_user"
475 "events:show": "rule:deny_stack_user"
476 "project_admin": "role:admin"
477 "resource:index": "rule:deny_stack_user"
478 "resource:mark_unhealthy": "rule:deny_stack_user"
479 "resource:metadata": ""
480 "resource:show": "rule:deny_stack_user"
481 "resource:signal": ""
482 "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
483 "resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
484 "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
485 "resource_types:OS::Cinder::Quota": "rule:project_admin"
486 "resource_types:OS::Cinder::VolumeType": "rule:project_admin"
487 "resource_types:OS::Keystone::*": "rule:project_admin"
488 "resource_types:OS::Manila::ShareType": "rule:project_admin"
489 "resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
490 "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
491 "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
492 "resource_types:OS::Neutron::Quota": "rule:project_admin"
493 "resource_types:OS::Neutron::Segment": "rule:project_admin"
494 "resource_types:OS::Nova::Flavor": "rule:project_admin"
495 "resource_types:OS::Nova::HostAggregate": "rule:project_admin"
496 "resource_types:OS::Nova::Quota": "rule:project_admin"
497 "service:index": "rule:context_is_admin"
498 "software_configs:create": "rule:deny_stack_user"
499 "software_configs:delete": "rule:deny_stack_user"
500 "software_configs:global_index": "rule:deny_everybody"
501 "software_configs:index": "rule:deny_stack_user"
502 "software_configs:show": "rule:deny_stack_user"
503 "software_deployments:create": "rule:deny_stack_user"
504 "software_deployments:delete": "rule:deny_stack_user"
505 "software_deployments:index": "rule:deny_stack_user"
506 "software_deployments:metadata": ""
507 "software_deployments:show": "rule:deny_stack_user"
508 "software_deployments:update": "rule:deny_stack_user"
509 "stacks:abandon": "rule:deny_stack_user"
510 "stacks:create": "rule:deny_stack_user"
511 "stacks:delete": "rule:deny_stack_user"
512 "stacks:delete_snapshot": "rule:deny_stack_user"
513 "stacks:detail": "rule:deny_stack_user"
514 "stacks:environment": "rule:deny_stack_user"
515 "stacks:export": "rule:deny_stack_user"
516 "stacks:files": "rule:deny_stack_user"
517 "stacks:generate_template": "rule:deny_stack_user"
518 "stacks:global_index": "rule:deny_everybody"
519 "stacks:index": "rule:deny_stack_user"
520 "stacks:list_outputs": "rule:deny_stack_user"
521 "stacks:list_resource_types": "rule:deny_stack_user"
522 "stacks:list_snapshots": "rule:deny_stack_user"
523 "stacks:list_template_functions": "rule:deny_stack_user"
524 "stacks:list_template_versions": "rule:deny_stack_user"
525 "stacks:lookup": ""
526 "stacks:preview": "rule:deny_stack_user"
527 "stacks:preview_update": "rule:deny_stack_user"
528 "stacks:preview_update_patch": "rule:deny_stack_user"
529 "stacks:resource_schema": "rule:deny_stack_user"
530 "stacks:restore_snapshot": "rule:deny_stack_user"
531 "stacks:show": "rule:deny_stack_user"
532 "stacks:show_output": "rule:deny_stack_user"
533 "stacks:show_snapshot": "rule:deny_stack_user"
534 "stacks:snapshot": "rule:deny_stack_user"
535 "stacks:template": "rule:deny_stack_user"
536 "stacks:update": "rule:deny_stack_user"
537 "stacks:update_patch": "rule:deny_stack_user"
538 "stacks:validate_template": "rule:deny_stack_user"
539 heat_default_policy_queens: ${_param:heat_default_policy_pike}
540 keystone_default_policy_ocata: {}
541 keystone_default_policy_pike: &keystone_default_policy_pike
542 "admin_or_owner": "rule:admin_required or rule:owner"
543 "admin_or_token_subject": "rule:admin_required or rule:token_subject"
544 "admin_required": "role:admin or is_admin:1"
545 "identity:add_endpoint_group_to_project": "rule:admin_required"
546 "identity:add_endpoint_to_project": "rule:admin_required"
547 "identity:add_user_to_group": "rule:admin_required"
548 "identity:authorize_request_token": "rule:admin_required"
549 "identity:check_endpoint_in_project": "rule:admin_required"
550 "identity:check_grant": "rule:admin_required"
551 "identity:check_implied_role": "rule:admin_required"
552 "identity:check_policy_association_for_endpoint": "rule:admin_required"
553 "identity:check_policy_association_for_region_and_service": "rule:admin_required"
554 "identity:check_policy_association_for_service": "rule:admin_required"
555 "identity:check_token": "rule:admin_or_token_subject"
556 "identity:check_user_in_group": "rule:admin_required"
557 "identity:create_consumer": "rule:admin_required"
558 "identity:create_credential": "rule:admin_required"
559 "identity:create_domain": "rule:admin_required"
560 "identity:create_domain_config": "rule:admin_required"
561 "identity:create_domain_role": "rule:admin_required"
562 "identity:create_endpoint": "rule:admin_required"
563 "identity:create_endpoint_group": "rule:admin_required"
564 "identity:create_grant": "rule:admin_required"
565 "identity:create_group": "rule:admin_required"
566 "identity:create_identity_provider": "rule:admin_required"
567 "identity:create_implied_role": "rule:admin_required"
568 "identity:create_mapping": "rule:admin_required"
569 "identity:create_policy": "rule:admin_required"
570 "identity:create_policy_association_for_endpoint": "rule:admin_required"
571 "identity:create_policy_association_for_region_and_service": "rule:admin_required"
572 "identity:create_policy_association_for_service": "rule:admin_required"
573 "identity:create_project": "rule:admin_required"
574 "identity:create_protocol": "rule:admin_required"
575 "identity:create_region": "rule:admin_required"
576 "identity:create_role": "rule:admin_required"
577 "identity:create_service": "rule:admin_required"
578 "identity:create_service_provider": "rule:admin_required"
579 "identity:create_trust": "user_id:%(trust.trustor_user_id)s"
580 "identity:create_user": "rule:admin_required"
581 "identity:delete_access_token": "rule:admin_required"
582 "identity:delete_consumer": "rule:admin_required"
583 "identity:delete_credential": "rule:admin_required"
584 "identity:delete_domain": "rule:admin_required"
585 "identity:delete_domain_config": "rule:admin_required"
586 "identity:delete_domain_role": "rule:admin_required"
587 "identity:delete_endpoint": "rule:admin_required"
588 "identity:delete_endpoint_group": "rule:admin_required"
589 "identity:delete_group": "rule:admin_required"
590 "identity:delete_identity_provider": "rule:admin_required"
591 "identity:delete_implied_role": "rule:admin_required"
592 "identity:delete_mapping": "rule:admin_required"
593 "identity:delete_policy": "rule:admin_required"
594 "identity:delete_policy_association_for_endpoint": "rule:admin_required"
595 "identity:delete_policy_association_for_region_and_service": "rule:admin_required"
596 "identity:delete_policy_association_for_service": "rule:admin_required"
597 "identity:delete_project": "rule:admin_required"
598 "identity:delete_protocol": "rule:admin_required"
599 "identity:delete_region": "rule:admin_required"
600 "identity:delete_role": "rule:admin_required"
601 "identity:delete_service": "rule:admin_required"
602 "identity:delete_service_provider": "rule:admin_required"
603 "identity:delete_trust": ""
604 "identity:delete_user": "rule:admin_required"
605 "identity:ec2_create_credential": "rule:admin_or_owner"
606 "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
607 "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
608 "identity:ec2_list_credentials": "rule:admin_or_owner"
609 "identity:get_access_token": "rule:admin_required"
610 "identity:get_access_token_role": "rule:admin_required"
611 "identity:get_auth_catalog": ""
612 "identity:get_auth_domains": ""
613 "identity:get_auth_projects": ""
614 "identity:get_consumer": "rule:admin_required"
615 "identity:get_credential": "rule:admin_required"
616 "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s"
617 "identity:get_domain_config": "rule:admin_required"
618 "identity:get_domain_config_default": "rule:admin_required"
619 "identity:get_domain_role": "rule:admin_required"
620 "identity:get_endpoint": "rule:admin_required"
621 "identity:get_endpoint_group": "rule:admin_required"
622 "identity:get_endpoint_group_in_project": "rule:admin_required"
623 "identity:get_group": "rule:admin_required"
624 "identity:get_identity_provider": "rule:admin_required"
625 "identity:get_implied_role": "rule:admin_required"
626 "identity:get_mapping": "rule:admin_required"
627 "identity:get_policy": "rule:admin_required"
628 "identity:get_policy_for_endpoint": "rule:admin_required"
629 "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"
630 "identity:get_protocol": "rule:admin_required"
631 "identity:get_region": ""
632 "identity:get_role": "rule:admin_required"
633 "identity:get_role_for_trust": ""
634 "identity:get_security_compliance_domain_config": ""
635 "identity:get_service": "rule:admin_required"
636 "identity:get_service_provider": "rule:admin_required"
637 "identity:get_trust": ""
638 "identity:get_user": "rule:admin_or_owner"
639 "identity:list_access_token_roles": "rule:admin_required"
640 "identity:list_access_tokens": "rule:admin_required"
641 "identity:list_consumers": "rule:admin_required"
642 "identity:list_credentials": "rule:admin_required"
643 "identity:list_domain_roles": "rule:admin_required"
644 "identity:list_domains": "rule:admin_required"
645 "identity:list_domains_for_user": ""
646 "identity:list_endpoint_groups": "rule:admin_required"
647 "identity:list_endpoint_groups_for_project": "rule:admin_required"
648 "identity:list_endpoints": "rule:admin_required"
649 "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"
650 "identity:list_endpoints_for_policy": "rule:admin_required"
651 "identity:list_endpoints_for_project": "rule:admin_required"
652 "identity:list_grants": "rule:admin_required"
653 "identity:list_groups": "rule:admin_required"
654 "identity:list_groups_for_user": "rule:admin_or_owner"
655 "identity:list_identity_providers": "rule:admin_required"
656 "identity:list_implied_roles": "rule:admin_required"
657 "identity:list_mappings": "rule:admin_required"
658 "identity:list_policies": "rule:admin_required"
659 "identity:list_projects": "rule:admin_required"
660 "identity:list_projects_associated_with_endpoint_group": "rule:admin_required"
661 "identity:list_projects_for_endpoint": "rule:admin_required"
662 "identity:list_projects_for_user": ""
663 "identity:list_protocols": "rule:admin_required"
664 "identity:list_regions": ""
665 "identity:list_revoke_events": "rule:service_or_admin"
666 "identity:list_role_assignments": "rule:admin_required"
667 "identity:list_role_assignments_for_tree": "rule:admin_required"
668 "identity:list_role_inference_rules": "rule:admin_required"
669 "identity:list_roles": "rule:admin_required"
670 "identity:list_roles_for_trust": ""
671 "identity:list_service_providers": "rule:admin_required"
672 "identity:list_services": "rule:admin_required"
673 "identity:list_trusts": ""
674 "identity:list_user_projects": "rule:admin_or_owner"
675 "identity:list_users": "rule:admin_required"
676 "identity:list_users_in_group": "rule:admin_required"
677 "identity:remove_endpoint_from_project": "rule:admin_required"
678 "identity:remove_endpoint_group_from_project": "rule:admin_required"
679 "identity:remove_user_from_group": "rule:admin_required"
680 "identity:revocation_list": "rule:service_or_admin"
681 "identity:revoke_grant": "rule:admin_required"
682 "identity:revoke_token": "rule:admin_or_token_subject"
683 "identity:update_consumer": "rule:admin_required"
684 "identity:update_credential": "rule:admin_required"
685 "identity:update_domain": "rule:admin_required"
686 "identity:update_domain_config": "rule:admin_required"
687 "identity:update_domain_role": "rule:admin_required"
688 "identity:update_endpoint": "rule:admin_required"
689 "identity:update_endpoint_group": "rule:admin_required"
690 "identity:update_group": "rule:admin_required"
691 "identity:update_identity_provider": "rule:admin_required"
692 "identity:update_mapping": "rule:admin_required"
693 "identity:update_policy": "rule:admin_required"
694 "identity:update_project": "rule:admin_required"
695 "identity:update_protocol": "rule:admin_required"
696 "identity:update_region": "rule:admin_required"
697 "identity:update_role": "rule:admin_required"
698 "identity:update_service": "rule:admin_required"
699 "identity:update_service_provider": "rule:admin_required"
700 "identity:update_user": "rule:admin_required"
701 "identity:validate_token": "rule:service_admin_or_token_subject"
702 "identity:validate_token_head": "rule:service_or_admin"
703 "owner": "user_id:%(user_id)s"
704 "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"
705 "service_or_admin": "rule:admin_required or rule:service_role"
706 "service_role": "role:service"
707 "token_subject": "user_id:%(target.token.user_id)s"
708 keystone_default_policy_queens:
709 << : *keystone_default_policy_pike
710 "identity:check_system_grant_for_group": "rule:admin_required"
711 "identity:check_system_grant_for_user": "rule:admin_required"
712 "identity:create_application_credential": "rule:admin_or_owner"
713 "identity:create_limits": "rule:admin_required"
714 "identity:create_project_tag": "rule:admin_required"
715 "identity:create_registered_limits": "rule:admin_required"
716 "identity:create_system_grant_for_group": "rule:admin_required"
717 "identity:create_system_grant_for_user": "rule:admin_required"
718 "identity:delete_application_credential": "rule:admin_or_owner"
719 "identity:delete_limit": "rule:admin_required"
720 "identity:delete_project_tag": "rule:admin_required"
721 "identity:delete_project_tags": "rule:admin_required"
722 "identity:delete_registered_limit": "rule:admin_required"
723 "identity:get_application_credential": "rule:admin_or_owner"
724 "identity:get_auth_system": ""
725 "identity:get_limit": ""
726 "identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s"
727 "identity:get_registered_limit": ""
728 "identity:list_application_credentials": "rule:admin_or_owner"
729 "identity:list_limits": ""
730 "identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s"
731 "identity:list_registered_limits": ""
732 "identity:list_system_grants_for_group": "rule:admin_required"
733 "identity:list_system_grants_for_user": "rule:admin_required"
734 "identity:revoke_system_grant_for_group": "rule:admin_required"
735 "identity:revoke_system_grant_for_user": "rule:admin_required"
736 "identity:update_limits": "rule:admin_required"
737 "identity:update_project_tags": "rule:admin_required"
738 "identity:update_registered_limits": "rule:admin_required"
739 "identity:validate_token_head":
740 manila_default_policy_ocata: {}
741 manila_default_policy_pike:
742 "admin_api": "is_admin:True"
743 "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
744 "availability_zone:index": "rule:default"
745 "context_is_admin": "role:admin"
746 "default": "rule:admin_or_owner"
747 "message:delete": "rule:default"
748 "message:get_all": "rule:default"
749 "message:get": "rule:default"
750 "quota_class_set:show": "rule:default"
751 "quota_class_set:update": "rule:admin_api"
752 "quota_set:delete": "rule:admin_api"
753 "quota_set:show": "rule:default"
754 "quota_set:update": "rule:admin_api"
755 "scheduler_stats:pools:detail": "rule:admin_api"
756 "scheduler_stats:pools:index": "rule:admin_api"
757 "security_service:create": "rule:default"
758 "security_service:delete": "rule:default"
759 "security_service:detail": "rule:default"
760 "security_service:get_all_security_services": "rule:admin_api"
761 "security_service:index": "rule:default"
762 "security_service:show": "rule:default"
763 "security_service:update": "rule:default"
764 "service:index": "rule:admin_api"
765 "service:update": "rule:admin_api"
766 "share:access_get_all": "rule:default"
767 "share:access_get": "rule:default"
768 "share:allow_access": "rule:default"
769 "share:create": ""
770 "share:create_snapshot": "rule:default"
771 "share:delete": "rule:default"
772 "share:delete_share_metadata": "rule:default"
773 "share:delete_snapshot": "rule:default"
774 "share:deny_access": "rule:default"
775 "share_export_location:index": "rule:default"
776 "share_export_location:show": "rule:default"
777 "share:extend": "rule:default"
778 "share:force_delete": "rule:admin_api"
779 "share:get_all": "rule:default"
780 "share:get": "rule:default"
781 "share:get_share_metadata": "rule:default"
782 "share_group:create": "rule:default"
783 "share_group:delete": "rule:default"
784 "share_group:force_delete": "rule:admin_api"
785 "share_group:get_all": "rule:default"
786 "share_group:get": "rule:default"
787 "share_group:reset_status": "rule:admin_api"
788 "share_group_snapshot:create": "rule:default"
789 "share_group_snapshot:delete": "rule:default"
790 "share_group_snapshot:force_delete": "rule:admin_api"
791 "share_group_snapshot:get_all": "rule:default"
792 "share_group_snapshot:get": "rule:default"
793 "share_group_snapshot:reset_status": "rule:admin_api"
794 "share_group_snapshot:update": "rule:default"
795 "share_group_type:add_project_access": "rule:admin_api"
796 "share_group_type:create": "rule:admin_api"
797 "share_group_type:default": "rule:default"
798 "share_group_type:delete": "rule:admin_api"
799 "share_group_type:index": "rule:default"
800 "share_group_type:list_project_access": "rule:admin_api"
801 "share_group_type:remove_project_access": "rule:admin_api"
802 "share_group_type:show": "rule:default"
803 "share_group_types_spec:create": "rule:admin_api"
804 "share_group_types_spec:delete": "rule:admin_api"
805 "share_group_types_spec:index": "rule:admin_api"
806 "share_group_types_spec:show": "rule:admin_api"
807 "share_group_types_spec:update": "rule:admin_api"
808 "share_group:update": "rule:default"
809 "share_instance_export_location:index": "rule:admin_api"
810 "share_instance_export_location:show": "rule:admin_api"
811 "share_instance:force_delete": "rule:admin_api"
812 "share_instance:index": "rule:admin_api"
813 "share_instance:reset_status": "rule:admin_api"
814 "share_instance:show": "rule:admin_api"
815 "share:list_by_host": "rule:admin_api"
816 "share:list_by_share_server_id": "rule:admin_api"
817 "share:manage": "rule:admin_api"
818 "share:migration_cancel": "rule:admin_api"
819 "share:migration_complete": "rule:admin_api"
820 "share:migration_get_progress": "rule:admin_api"
821 "share:migration_start": "rule:admin_api"
822 "share_network:add_security_service": "rule:default"
823 "share_network:create": "rule:default"
824 "share_network:delete": "rule:default"
825 "share_network:detail": "rule:default"
826 "share_network:get_all_share_networks": "rule:admin_api"
827 "share_network:index": "rule:default"
828 "share_network:remove_security_service": "rule:default"
829 "share_network:show": "rule:default"
830 "share_network:update": "rule:default"
831 "share_replica:create": "rule:default"
832 "share_replica:delete": "rule:default"
833 "share_replica:force_delete": "rule:admin_api"
834 "share_replica:get_all": "rule:default"
835 "share_replica:promote": "rule:default"
836 "share_replica:reset_replica_state": "rule:admin_api"
837 "share_replica:reset_status": "rule:admin_api"
838 "share_replica:resync": "rule:admin_api"
839 "share_replica:show": "rule:default"
840 "share:reset_status": "rule:admin_api"
841 "share:reset_task_state": "rule:admin_api"
842 "share:revert_to_snapshot": "rule:default"
843 "share_server:delete": "rule:admin_api"
844 "share_server:details": "rule:admin_api"
845 "share_server:index": "rule:admin_api"
846 "share_server:show": "rule:admin_api"
847 "share:shrink": "rule:default"
848 "share_snapshot:access_list": "rule:default"
849 "share_snapshot:allow_access": "rule:default"
850 "share_snapshot:deny_access": "rule:default"
851 "share_snapshot_export_location:index": "rule:default"
852 "share_snapshot_export_location:show": "rule:default"
853 "share_snapshot:force_delete": "rule:admin_api"
854 "share_snapshot:get_all_snapshots": "rule:default"
855 "share_snapshot:get_snapshot": "rule:default"
856 "share_snapshot_instance:detail": "rule:admin_api"
857 "share_snapshot_instance_export_location:index": "rule:admin_api"
858 "share_snapshot_instance_export_location:show": "rule:admin_api"
859 "share_snapshot_instance:index": "rule:admin_api"
860 "share_snapshot_instance:reset_status": "rule:admin_api"
861 "share_snapshot_instance:show": "rule:admin_api"
862 "share_snapshot:manage_snapshot": "rule:admin_api"
863 "share_snapshot:reset_status": "rule:admin_api"
864 "share_snapshot:unmanage_snapshot": "rule:admin_api"
865 "share:snapshot_update": "rule:default"
866 "share_type:add_project_access": "rule:admin_api"
867 "share_type:create": "rule:admin_api"
868 "share_type:default": "rule:default"
869 "share_type:delete": "rule:admin_api"
870 "share_type:index": "rule:default"
871 "share_type:list_project_access": "rule:admin_api"
872 "share_type:remove_project_access": "rule:admin_api"
873 "share_types_extra_spec:create": "rule:admin_api"
874 "share_types_extra_spec:delete": "rule:admin_api"
875 "share_types_extra_spec:index": "rule:admin_api"
876 "share_types_extra_spec:show": "rule:admin_api"
877 "share_types_extra_spec:update": "rule:admin_api"
878 "share_type:show": "rule:default"
879 "share:unmanage": "rule:admin_api"
880 "share:update": "rule:default"
881 "share:update_share_metadata": "rule:default"
882 manila_default_policy_queens: ${_param:manila_default_policy_pike}
883 neutron_default_policy_ocata: {}
884 neutron_default_policy_pike: &neutron_default_policy_pike
885 "add_router_interface": "rule:admin_or_owner"
886 "add_subports": "rule:admin_or_owner"
887 "admin_only": "rule:context_is_admin"
888 "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"
889 "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
890 "admin_or_owner": "rule:context_is_admin or rule:owner"
891 "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"
892 "context_is_admin": "role:admin"
893 "context_is_advsvc": "role:advsvc"
894 "create_address_scope": ""
895 "create_address_scope:shared": "rule:admin_only"
896 "create_dhcp-network": "rule:admin_only"
897 "create_flavor": "rule:admin_only"
898 "create_flavor_service_profile": "rule:admin_only"
899 "create_floatingip": "rule:regular_user"
900 "create_floatingip:floating_ip_address": "rule:admin_only"
901 "create_l3-router": "rule:admin_only"
902 "create_log": "rule:admin_only"
903 "create_lsn": "rule:admin_only"
904 "create_metering_label": "rule:admin_only"
905 "create_metering_label_rule": "rule:admin_only"
906 "create_network": ""
907 "create_network:is_default": "rule:admin_only"
908 "create_network:provider:network_type": "rule:admin_only"
909 "create_network:provider:physical_network": "rule:admin_only"
910 "create_network:provider:segmentation_id": "rule:admin_only"
911 "create_network:router:external": "rule:admin_only"
912 "create_network:segments": "rule:admin_only"
913 "create_network:shared": "rule:admin_only"
914 "create_network_profile": "rule:admin_only"
915 "create_policy": "rule:admin_only"
916 "create_policy_bandwidth_limit_rule": "rule:admin_only"
917 "create_policy_dscp_marking_rule": "rule:admin_only"
918 "create_policy_minimum_bandwidth_rule": "rule:admin_only"
919 "create_port": ""
920 "create_port:allowed_address_pairs": "rule:admin_or_network_owner"
921 "create_port:binding:host_id": "rule:admin_only"
922 "create_port:binding:profile": "rule:admin_only"
923 "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
924 "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
925 "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
926 "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
927 "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
928 "create_qos_queue": "rule:admin_only"
929 "create_rbac_policy": ""
930 "create_rbac_policy:target_tenant": "rule:restrict_wildcard"
931 "create_router": "rule:regular_user"
932 "create_router:distributed": "rule:admin_only"
933 "create_router:external_gateway_info:enable_snat": "rule:admin_only"
934 "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
935 "create_router:ha": "rule:admin_only"
936 "create_security_group": "rule:admin_or_owner"
937 "create_security_group_rule": "rule:admin_or_owner"
938 "create_segment": "rule:admin_only"
939 "create_service_profile": "rule:admin_only"
940 "create_subnet": "rule:admin_or_network_owner"
941 "create_subnet:segment_id": "rule:admin_only"
942 "create_subnet:service_types": "rule:admin_only"
943 "create_subnetpool": ""
944 "create_subnetpool:is_default": "rule:admin_only"
945 "create_subnetpool:shared": "rule:admin_only"
946 "create_trunk": "rule:regular_user"
947 "default": "rule:admin_or_owner"
948 "delete_address_scope": "rule:admin_or_owner"
949 "delete_agent": "rule:admin_only"
950 "delete_dhcp-network": "rule:admin_only"
951 "delete_flavor": "rule:admin_only"
952 "delete_flavor_service_profile": "rule:admin_only"
953 "delete_floatingip": "rule:admin_or_owner"
954 "delete_l3-router": "rule:admin_only"
955 "delete_log": "rule:admin_only"
956 "delete_metering_label": "rule:admin_only"
957 "delete_metering_label_rule": "rule:admin_only"
958 "delete_network": "rule:admin_or_owner"
959 "delete_network_profile": "rule:admin_only"
960 "delete_policy": "rule:admin_only"
961 "delete_policy_bandwidth_limit_rule": "rule:admin_only"
962 "delete_policy_dscp_marking_rule": "rule:admin_only"
963 "delete_policy_minimum_bandwidth_rule": "rule:admin_only"
964 "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
965 "delete_rbac_policy": "rule:admin_or_owner"
966 "delete_router": "rule:admin_or_owner"
967 "delete_security_group": "rule:admin_or_owner"
968 "delete_security_group_rule": "rule:admin_or_owner"
969 "delete_segment": "rule:admin_only"
970 "delete_service_profile": "rule:admin_only"
971 "delete_subnet": "rule:admin_or_network_owner"
972 "delete_subnetpool": "rule:admin_or_owner"
973 "delete_trunk": "rule:admin_or_owner"
974 "external": "field:networks:router:external=True"
975 "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"
976 "get_agent": "rule:admin_only"
977 "get_agent-loadbalancers": "rule:admin_only"
978 "get_auto_allocated_topology": "rule:admin_or_owner"
979 "get_dhcp-agents": "rule:admin_only"
980 "get_dhcp-networks": "rule:admin_only"
981 "get_flavor": "rule:regular_user"
982 "get_flavor_service_profile": "rule:regular_user"
983 "get_flavors": "rule:regular_user"
984 "get_floatingip": "rule:admin_or_owner"
985 "get_l3-agents": "rule:admin_only"
986 "get_l3-routers": "rule:admin_only"
987 "get_loadbalancer-agent": "rule:admin_only"
988 "get_loadbalancer-hosting-agent": "rule:admin_only"
989 "get_loadbalancer-pools": "rule:admin_only"
990 "get_log": "rule:admin_only"
991 "get_loggable_resources": "rule:admin_only"
992 "get_logs": "rule:admin_only"
993 "get_lsn": "rule:admin_only"
994 "get_metering_label": "rule:admin_only"
995 "get_metering_label_rule": "rule:admin_only"
996 "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"
997 "get_network:provider:network_type": "rule:admin_only"
998 "get_network:provider:physical_network": "rule:admin_only"
999 "get_network:provider:segmentation_id": "rule:admin_only"
1000 "get_network:queue_id": "rule:admin_only"
1001 "get_network:router:external": "rule:regular_user"
1002 "get_network:segments": "rule:admin_only"
1003 "get_network_ip_availabilities": "rule:admin_only"
1004 "get_network_ip_availability": "rule:admin_only"
1005 "get_network_profile": ""
1006 "get_network_profiles": ""
1007 "get_policy": "rule:regular_user"
1008 "get_policy_bandwidth_limit_rule": "rule:regular_user"
1009 "get_policy_dscp_marking_rule": "rule:regular_user"
1010 "get_policy_minimum_bandwidth_rule": "rule:regular_user"
1011 "get_policy_profile": ""
1012 "get_policy_profiles": ""
1013 "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
1014 "get_port:binding:host_id": "rule:admin_only"
1015 "get_port:binding:profile": "rule:admin_only"
1016 "get_port:binding:vif_details": "rule:admin_only"
1017 "get_port:binding:vif_type": "rule:admin_only"
1018 "get_port:queue_id": "rule:admin_only"
1019 "get_qos_queue": "rule:admin_only"
1020 "get_rbac_policy": "rule:admin_or_owner"
1021 "get_router": "rule:admin_or_owner"
1022 "get_router:distributed": "rule:admin_only"
1023 "get_router:ha": "rule:admin_only"
1024 "get_rule_type": "rule:regular_user"
1025 "get_security_group": "rule:admin_or_owner"
1026 "get_security_group_rule": "rule:admin_or_owner"
1027 "get_security_group_rules": "rule:admin_or_owner"
1028 "get_security_groups": "rule:admin_or_owner"
1029 "get_segment": "rule:admin_only"
1030 "get_service_profile": "rule:admin_only"
1031 "get_service_profiles": "rule:admin_only"
1032 "get_service_provider": "rule:regular_user"
1033 "get_subnet": "rule:admin_or_owner or rule:shared"
1034 "get_subnet:segment_id": "rule:admin_only"
1035 "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"
1036 "get_subports": ""
1037 "get_trunk": "rule:admin_or_owner"
1038 "network_device": "field:port:device_owner=~^network:"
1039 "owner": "tenant_id:%(tenant_id)s"
1040 "regular_user": ""
1041 "remove_router_interface": "rule:admin_or_owner"
1042 "remove_subports": "rule:admin_or_owner"
1043 "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
1044 "shared": "field:networks:shared=True"
1045 "shared_address_scopes": "field:address_scopes:shared=True"
1046 "shared_subnetpools": "field:subnetpools:shared=True"
1047 "update_address_scope": "rule:admin_or_owner"
1048 "update_address_scope:shared": "rule:admin_only"
1049 "update_agent": "rule:admin_only"
1050 "update_flavor": "rule:admin_only"
1051 "update_floatingip": "rule:admin_or_owner"
1052 "update_log": "rule:admin_only"
1053 "update_network": "rule:admin_or_owner"
1054 "update_network:provider:network_type": "rule:admin_only"
1055 "update_network:provider:physical_network": "rule:admin_only"
1056 "update_network:provider:segmentation_id": "rule:admin_only"
1057 "update_network:router:external": "rule:admin_only"
1058 "update_network:segments": "rule:admin_only"
1059 "update_network:shared": "rule:admin_only"
1060 "update_network_profile": "rule:admin_only"
1061 "update_policy": "rule:admin_only"
1062 "update_policy_bandwidth_limit_rule": "rule:admin_only"
1063 "update_policy_dscp_marking_rule": "rule:admin_only"
1064 "update_policy_minimum_bandwidth_rule": "rule:admin_only"
1065 "update_policy_profiles": "rule:admin_only"
1066 "update_port": "rule:admin_or_owner or rule:context_is_advsvc"
1067 "update_port:allowed_address_pairs": "rule:admin_or_network_owner"
1068 "update_port:binding:host_id": "rule:admin_only"
1069 "update_port:binding:profile": "rule:admin_only"
1070 "update_port:data_plane_status": "rule:admin_or_data_plane_int"
1071 "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
1072 "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
1073 "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
1074 "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1075 "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1076 "update_rbac_policy": "rule:admin_or_owner"
1077 "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"
1078 "update_router": "rule:admin_or_owner"
1079 "update_router:distributed": "rule:admin_only"
1080 "update_router:external_gateway_info": "rule:admin_or_owner"
1081 "update_router:external_gateway_info:enable_snat": "rule:admin_only"
1082 "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
1083 "update_router:external_gateway_info:network_id": "rule:admin_or_owner"
1084 "update_router:ha": "rule:admin_only"
1085 "update_security_group": "rule:admin_or_owner"
1086 "update_segment": "rule:admin_only"
1087 "update_service_profile": "rule:admin_only"
1088 "update_subnet": "rule:admin_or_network_owner"
1089 "update_subnet:service_types": "rule:admin_only"
1090 "update_subnetpool": "rule:admin_or_owner"
1091 "update_subnetpool:is_default": "rule:admin_only"
1092 neutron_default_policy_queens:
1093 << : *neutron_default_policy_pike
1094 "create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
1095 "create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
1096 "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1097 "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
1098 "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1099 "create_router:external_gateway_info": "rule:admin_or_owner"
1100 "create_router:external_gateway_info:network_id": "rule:admin_or_owner"
1101 "update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
1102 "update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
1103 "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1104 "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
1105 "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1106 nova_default_policy_ocata: {}
1107 nova_default_policy_pike: &nova_default_policy_pike
1108 "admin_api": "is_admin:True"
1109 "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
1110 "cells_scheduler_filter:DifferentCellFilter": "is_admin:True"
1111 "cells_scheduler_filter:TargetCellFilter": "is_admin:True"
1112 "context_is_admin": "role:admin"
1113 "network:attach_external_network": "is_admin:True"
1114 "os_compute_api:extensions": "rule:admin_or_owner"
1115 "os_compute_api:flavors": "rule:admin_or_owner"
1116 "os_compute_api:image-size": "rule:admin_or_owner"
1117 "os_compute_api:ips:index": "rule:admin_or_owner"
1118 "os_compute_api:ips:show": "rule:admin_or_owner"
1119 "os_compute_api:limits": "rule:admin_or_owner"
1120 "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"
1121 "os_compute_api:os-admin-actions:reset_network": "rule:admin_api"
1122 "os_compute_api:os-admin-actions:reset_state": "rule:admin_api"
1123 "os_compute_api:os-admin-password": "rule:admin_or_owner"
1124 "os_compute_api:os-agents": "rule:admin_api"
1125 "os_compute_api:os-aggregates:add_host": "rule:admin_api"
1126 "os_compute_api:os-aggregates:create": "rule:admin_api"
1127 "os_compute_api:os-aggregates:delete": "rule:admin_api"
1128 "os_compute_api:os-aggregates:index": "rule:admin_api"
1129 "os_compute_api:os-aggregates:remove_host": "rule:admin_api"
1130 "os_compute_api:os-aggregates:set_metadata": "rule:admin_api"
1131 "os_compute_api:os-aggregates:show": "rule:admin_api"
1132 "os_compute_api:os-aggregates:update": "rule:admin_api"
1133 "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"
1134 "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"
1135 "os_compute_api:os-attach-interfaces": "rule:admin_or_owner"
1136 "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"
1137 "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"
1138 "os_compute_api:os-availability-zone:detail": "rule:admin_api"
1139 "os_compute_api:os-availability-zone:list": "rule:admin_or_owner"
1140 "os_compute_api:os-baremetal-nodes": "rule:admin_api"
1141 "os_compute_api:os-cells": "rule:admin_api"
1142 "os_compute_api:os-cells:create": "rule:admin_api"
1143 "os_compute_api:os-cells:delete": "rule:admin_api"
1144 "os_compute_api:os-cells:sync_instances": "rule:admin_api"
1145 "os_compute_api:os-cells:update": "rule:admin_api"
1146 "os_compute_api:os-config-drive": "rule:admin_or_owner"
1147 "os_compute_api:os-console-auth-tokens": "rule:admin_api"
1148 "os_compute_api:os-console-output": "rule:admin_or_owner"
1149 "os_compute_api:os-consoles:create": "rule:admin_or_owner"
1150 "os_compute_api:os-consoles:delete": "rule:admin_or_owner"
1151 "os_compute_api:os-consoles:index": "rule:admin_or_owner"
1152 "os_compute_api:os-consoles:show": "rule:admin_or_owner"
1153 "os_compute_api:os-create-backup": "rule:admin_or_owner"
1154 "os_compute_api:os-deferred-delete": "rule:admin_or_owner"
1155 "os_compute_api:os-evacuate": "rule:admin_api"
1156 "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"
1157 "os_compute_api:os-extended-server-attributes": "rule:admin_api"
1158 "os_compute_api:os-extended-status": "rule:admin_or_owner"
1159 "os_compute_api:os-extended-volumes": "rule:admin_or_owner"
1160 "os_compute_api:os-fixed-ips": "rule:admin_api"
1161 "os_compute_api:os-flavor-access": "rule:admin_or_owner"
1162 "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"
1163 "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"
1164 "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"
1165 "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"
1166 "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"
1167 "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"
1168 "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"
1169 "os_compute_api:os-flavor-manage": "rule:admin_api"
1170 "os_compute_api:os-flavor-manage:create": "rule:os_compute_api:os-flavor-manage"
1171 "os_compute_api:os-flavor-manage:delete": "rule:os_compute_api:os-flavor-manage"
1172 "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"
1173 "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"
1174 "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"
1175 "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"
1176 "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"
1177 "os_compute_api:os-floating-ips": "rule:admin_or_owner"
1178 "os_compute_api:os-floating-ips-bulk": "rule:admin_api"
1179 "os_compute_api:os-fping": "rule:admin_or_owner"
1180 "os_compute_api:os-fping:all_tenants": "rule:admin_api"
1181 "os_compute_api:os-hide-server-addresses": "is_admin:False"
1182 "os_compute_api:os-hosts": "rule:admin_api"
1183 "os_compute_api:os-hypervisors": "rule:admin_api"
1184 "os_compute_api:os-instance-actions": "rule:admin_or_owner"
1185 "os_compute_api:os-instance-actions:events": "rule:admin_api"
1186 "os_compute_api:os-instance-usage-audit-log": "rule:admin_api"
1187 "os_compute_api:os-keypairs": "rule:admin_or_owner"
1188 "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"
1189 "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"
1190 "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"
1191 "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"
1192 "os_compute_api:os-lock-server:lock": "rule:admin_or_owner"
1193 "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"
1194 "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"
1195 "os_compute_api:os-migrate-server:migrate": "rule:admin_api"
1196 "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"
1197 "os_compute_api:os-migrations:index": "rule:admin_api"
1198 "os_compute_api:os-multinic": "rule:admin_or_owner"
1199 "os_compute_api:os-networks": "rule:admin_api"
1200 "os_compute_api:os-networks-associate": "rule:admin_api"
1201 "os_compute_api:os-networks:view": "rule:admin_or_owner"
1202 "os_compute_api:os-pause-server:pause": "rule:admin_or_owner"
1203 "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"
1204 "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"
1205 "os_compute_api:os-quota-class-sets:update": "rule:admin_api"
1206 "os_compute_api:os-quota-sets:defaults": "@"
1207 "os_compute_api:os-quota-sets:delete": "rule:admin_api"
1208 "os_compute_api:os-quota-sets:detail": "rule:admin_or_owner"
1209 "os_compute_api:os-quota-sets:show": "rule:admin_or_owner"
1210 "os_compute_api:os-quota-sets:update": "rule:admin_api"
1211 "os_compute_api:os-remote-consoles": "rule:admin_or_owner"
1212 "os_compute_api:os-rescue": "rule:admin_or_owner"
1213 "os_compute_api:os-security-group-default-rules": "rule:admin_api"
1214 "os_compute_api:os-security-groups": "rule:admin_or_owner"
1215 "os_compute_api:os-server-diagnostics": "rule:admin_api"
1216 "os_compute_api:os-server-external-events:create": "rule:admin_api"
1217 "os_compute_api:os-server-groups": "rule:admin_or_owner"
1218 "os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
1219 "os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
1220 "os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
1221 "os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"
1222 "os_compute_api:os-server-password": "rule:admin_or_owner"
1223 "os_compute_api:os-server-tags:delete": "rule:admin_or_owner"
1224 "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner"
1225 "os_compute_api:os-server-tags:index": "rule:admin_or_owner"
1226 "os_compute_api:os-server-tags:show": "rule:admin_or_owner"
1227 "os_compute_api:os-server-tags:update": "rule:admin_or_owner"
1228 "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner"
1229 "os_compute_api:os-server-usage": "rule:admin_or_owner"
1230 "os_compute_api:os-services": "rule:admin_api"
1231 "os_compute_api:os-shelve:shelve": "rule:admin_or_owner"
1232 "os_compute_api:os-shelve:shelve_offload": "rule:admin_api"
1233 "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"
1234 "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"
1235 "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"
1236 "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"
1237 "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"
1238 "os_compute_api:os-tenant-networks": "rule:admin_or_owner"
1239 "os_compute_api:os-used-limits": "rule:admin_api"
1240 "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"
1241 "os_compute_api:os-volumes": "rule:admin_or_owner"
1242 "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"
1243 "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
1244 "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"
1245 "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"
1246 "os_compute_api:os-volumes-attachments:update": "rule:admin_api"
1247 "os_compute_api:server-metadata:create": "rule:admin_or_owner"
1248 "os_compute_api:server-metadata:delete": "rule:admin_or_owner"
1249 "os_compute_api:server-metadata:index": "rule:admin_or_owner"
1250 "os_compute_api:server-metadata:show": "rule:admin_or_owner"
1251 "os_compute_api:server-metadata:update": "rule:admin_or_owner"
1252 "os_compute_api:server-metadata:update_all": "rule:admin_or_owner"
1253 "os_compute_api:servers:confirm_resize": "rule:admin_or_owner"
1254 "os_compute_api:servers:create": "rule:admin_or_owner"
1255 "os_compute_api:servers:create:attach_network": "rule:admin_or_owner"
1256 "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"
1257 "os_compute_api:servers:create:forced_host": "rule:admin_api"
1258 "os_compute_api:servers:create:zero_disk_flavor": "rule:admin_or_owner"
1259 "os_compute_api:servers:create_image": "rule:admin_or_owner"
1260 "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"
1261 "os_compute_api:servers:delete": "rule:admin_or_owner"
1262 "os_compute_api:servers:detail": "rule:admin_or_owner"
1263 "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"
1264 "os_compute_api:servers:index": "rule:admin_or_owner"
1265 "os_compute_api:servers:index:get_all_tenants": "rule:admin_api"
1266 "os_compute_api:servers:migrations:delete": "rule:admin_api"
1267 "os_compute_api:servers:migrations:force_complete": "rule:admin_api"
1268 "os_compute_api:servers:migrations:index": "rule:admin_api"
1269 "os_compute_api:servers:migrations:show": "rule:admin_api"
1270 "os_compute_api:servers:reboot": "rule:admin_or_owner"
1271 "os_compute_api:servers:rebuild": "rule:admin_or_owner"
1272 "os_compute_api:servers:resize": "rule:admin_or_owner"
1273 "os_compute_api:servers:revert_resize": "rule:admin_or_owner"
1274 "os_compute_api:servers:show": "rule:admin_or_owner"
1275 "os_compute_api:servers:show:host_status": "rule:admin_api"
1276 "os_compute_api:servers:start": "rule:admin_or_owner"
1277 "os_compute_api:servers:stop": "rule:admin_or_owner"
1278 "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"
1279 "os_compute_api:servers:update": "rule:admin_or_owner"
1280 nova_default_policy_queens:
1281 << : *nova_default_policy_pike
1282 "os_compute_api:os-flavor-manage:update": "rule:admin_api"
1283 octavia_default_policy_ocata: {}
1284 octavia_default_policy_pike: &octavia_default_policy_pike
1285 "context_is_admin": "role:admin or role:load-balancer_admin"
1286 "load-balancer:owner": "project_id:%(project_id)s"
1287 "load-balancer:observer_and_owner": "role:load-balancer_observer and rule:load-balancer:owner"
1288 "load-balancer:global_observer": "role:load-balancer_global_observer"
1289 "load-balancer:member_and_owner": "role:load-balancer_member and rule:load-balancer:owner"
1290 "load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or is_admin:True"
1291 "load-balancer:read-global": "rule:load-balancer:global_observer or is_admin:True"
1292 "load-balancer:write": "rule:load-balancer:member_and_owner or is_admin:True"
1293 "load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or is_admin:True"
1294 "load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or is_admin:True"
1295 "load-balancer:write-quota": "role:load-balancer_quota_admin or is_admin:True"
1296 "os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"
1297 "os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"
1298 "os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"
1299 "os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"
1300 "os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"
1301 "os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"
1302 "os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"
1303 "os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"
1304 "os_load-balancer_api:l7policy:post": "rule:load-balancer:write"
1305 "os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"
1306 "os_load-balancer_api:l7policy:put": "rule:load-balancer:write"
1307 "os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"
1308 "os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"
1309 "os_load-balancer_api:l7rule:post": "rule:load-balancer:write"
1310 "os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"
1311 "os_load-balancer_api:l7rule:put": "rule:load-balancer:write"
1312 "os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"
1313 "os_load-balancer_api:listener:get_all": "rule:load-balancer:read"
1314 "os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"
1315 "os_load-balancer_api:listener:post": "rule:load-balancer:write"
1316 "os_load-balancer_api:listener:get_one": "rule:load-balancer:read"
1317 "os_load-balancer_api:listener:put": "rule:load-balancer:write"
1318 "os_load-balancer_api:listener:delete": "rule:load-balancer:write"
1319 "os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"
1320 "os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"
1321 "os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"
1322 "os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"
1323 "os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"
1324 "os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"
1325 "os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"
1326 "os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"
1327 "os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"
1328 "os_load-balancer_api:member:get_all": "rule:load-balancer:read"
1329 "os_load-balancer_api:member:post": "rule:load-balancer:write"
1330 "os_load-balancer_api:member:get_one": "rule:load-balancer:read"
1331 "os_load-balancer_api:member:put": "rule:load-balancer:write"
1332 "os_load-balancer_api:member:delete": "rule:load-balancer:write"
1333 "os_load-balancer_api:pool:get_all": "rule:load-balancer:read"
1334 "os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"
1335 "os_load-balancer_api:pool:post": "rule:load-balancer:write"
1336 "os_load-balancer_api:pool:get_one": "rule:load-balancer:read"
1337 "os_load-balancer_api:pool:put": "rule:load-balancer:write"
1338 "os_load-balancer_api:pool:delete": "rule:load-balancer:write"
1339 "os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"
1340 "os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"
1341 "os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"
1342 "os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"
1343 "os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"
1344 "os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"
1345 octavia_default_policy_queens:
1346 << : *octavia_default_policy_pike
1347 "load-balancer:admin": "is_admin:True or role:admin or role:load-balancer_admin"
1348 "load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
1349 "load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"
1350 "load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
1351 "load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
1352 "load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
1353 "load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"
1354 "os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
1355 telemetry_default_policy_ocata: {}
1356 telemetry_default_policy_pike:
1357 "context_is_admin": "role:admin"
1358 "segregation": "rule:context_is_admin"
1359 "telemetry:compute_statistics": ""
1360 "telemetry:create_samples": ""
1361 "telemetry:get_meters": ""
1362 "telemetry:get_resource": ""
1363 "telemetry:get_resources": ""
1364 "telemetry:get_sample": ""
1365 "telemetry:get_samples": ""
1366 "telemetry:query_sample": ""
1367 telemetry_default_policy_queens: ${_param:telemetry_default_policy_pike}